Foreign Investment Stakeholder Group key messages 20 July 2023

How do I know if I am authorised to act on behalf of the foreign investor?

You can view and manage all of your authorisations through RAM or Online services for foreign investors.

How do I identify the principal authority of a business?

The principal authority is the person responsible for the business. For example, an Australian representative of the business, trustee, director or partner.

Is it secure to enter the details of my identity documents when I set up my myGovID?

myGovID uses encryption and cryptographic technology as well as the security features built-in to your device, such as fingerprint or face. This is to protect your identity and help stop other people accessing your information.

Your details are checked against existing government records to prove your identity. When using government online services, your personal information will not be shared without your permission - putting you in control.

Once you have verified your identity documents to set up your myGovID, they become locked to your myGovID email and cannot be verified again by another myGovID.

Will myGovID make it easier for someone to steal and use my personal information?

myGovID is accredited under the Trusted Digital Identity Framework which strictly controls how your identity data is collected, stored, and used.

To access the myGovID app you need to have a password and you can opt to use the built-in security features in your device, such as fingerprint or face, to further protect your digital identity. This ensures that if your smart device is lost or stolen your myGovID remains protected.

You have control of your personal information at all times and nothing will be shared without your permission.

The Digital Transformation Agency and the ATO have completed Privacy Impact Assessments and worked with independent consultants throughout the process to ensure the security of myGovID.

Can a principal authority or authorisation administrator access the details of my, myGovID?

No, your myGovID belongs to you and should not be shared with others.

Can multiple individuals from different firms be authorised by a client as authorisation administrators? If so, are authorisation administrators only able to revoke authorisation for other individuals that they themselves have authorised, or are they able to amend authorisations provided by someone else, for example, revoke access for a different authorised representative from a different firm?

An entity can have multiple authorisation administrators appointed in RAM.

An authorisation administrator can set up and manage all authorisations in RAM only for the entity they have been authorised by to do so.

An authorised administrator can edit and revoke all accesses, except for the principal authority.

A principal authority can assign multiple people from different firms as authorised administrators.

If I set up my myGovID using a personal email address, do client authorisations need to be sent to that address?

A business email can be used when setting up an authorisation for a representative in RAM, it does not need to match the email address they used to set up their myGovID.

However, the email address should only be able to be accessed by them, as this is where the authorisation request and future notifications are sent.

How is a register notice completed for acquisitions of land entities, (to the extent that they are not entity acquisitions which separately need to be reported under subdivision C of Division 3 of Part 7A)?

This question has been taken on notice and an answer will be made available in due course.

How can firms maintain uninterrupted access to Online services for foreign investors in the event of an authorised user (appointed by client) being unexpectedly absent or leaving permanently?

Communications will still go via email for some notifications, others will show in the Online services for foreign investors account, and any authorised users will have access to this.

Clients may wish to appoint multiple authorisation administrators in RAM to overcome this issue.

Online services for foreign investors allows any authorised person to see what was submitted, when, and have the option of amending or updating as required.

Can an authorised user amend or alter a client’s existing information or records within the register including where these activities may have originally been completed/recorded by another entity?

The ATO has strong protections in place over information in its systems. All actions in Online services for foreign investors, like any other ATO record, are recorded and the history is retained, even if the event is no longer visible in the system.

Changes made to an existing registered asset within Online services for foreign investors will prompt an internal review by ATO staff.

An authorised user can print (including saving as a pdf) any event or registration they have completed to retain a record with a submission number, for proof of what they submitted.

Practitioners should consider whether their internal governance processes require updating to reflect this new way of doing business, including documents and records management systems.

Is there a risk with respect to the disclosure of confidential information given an authorised representative (of which there may be many) is able to access all of the information on the register.

Whilst the system allows an agent to view this information, it does require a person to actively seek that information. It would be incumbent upon the practitioner to ensure they do not breach their authority and actively seek material they are not authorised for.

We also note that this information is protected information, and any unauthorised use or disclosure of such information by a practitioner is an offence.

The terms and conditions for the use of Online services for foreign investors can be found here - ATO Online services for foreign investors terms and conditions.

For legal practitioners who are authorised representatives, would inadvertent exposure to confidential information in connection with another interest create a potential for conflict between the duty of confidentiality and the duty of disclosure? For example, if the lawyer acts for another client and information they inadvertently see within the service is relevant to a matter on which they are working for that other client, they will be in a position of conflict.

The ATO complies with National Privacy Principles and relevant privacy impact assessments have been conducted as part of the development of the new system.

Where a conflict of interest exists, perceived or real, the practitioner will have a duty to disclose and manage that conflict.

Whilst the system allows an agent to view this information, it does require a person to actively seek that information. It would be incumbent upon the practitioner to ensure they do not breach their authority and actively seek material they are not authorised for, in line with professional ethical requirements.